Skip to content

Configure SAML 2.0 Back-Channel Logout

This page guides you through SAML 2.0 back-channel logout for applications with MWARE IAM. This will ensure that the user is logged out from all configured applications with a single logout request via one of the applications.

Scenario

The user is required to log in to two different applications. For convenience and security, the user should be logged out of both the applications when the user attempts to log out from either one of them.

Register the service providers

You need to register the two sample applications as service providers in MWARE IAM.

Pickup Dipatch

  1. Log in to the Management Console (https://<IS_HOST>:<PORT>/carbon) using admin/admin credentials.

  2. Navigate to Main > Identity > Service Providers and click Add.

  3. Enter saml2-web-app-pickup-dispatch in the Service Provider Name text box, and click Register.

  4. In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.

    1. Now set the configuration as follows:

      • Issuer: saml2-web-app-pickup-dispatch.com
      • Assertion Consumer URL: http://localhost.com:8080/saml2-web-app-pickup-dispatch.com/home.jsp

      Click Yes, in the message that appears.

    2. Select the following checkboxes:

      • Enable Response Signing
      • Enable Single Logout
      • Enable Attribute Profile
      • Include Attributes in the Response Always
      • Enable Signature Validation in Authentication Requests and Logout Requests

    Tip

    For more information on the advanced configurations, see Advanced SAML Configurations.

  5. Click Register to save the changes.

Pickup Manager

  1. Access the MWARE IAM Management Console (https://<IS_HOST>:<PORT>/carbon).

  2. Navigate to Main > Identity > Service Providers and click Add.

  3. Enter saml2-web-app-pickup-manager in the Service Provider Name text box, and click Register.

  4. In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.

    1. Now, set the configuration as follows:

      • Issuer: saml2-web-app-pickup-manager.com
      • Assertion Consumer URL: http://localhost.com:8080/saml2-web-app-pickup-manager.com/home.jsp

      Click Yes, in the message that appears.

    2. Select the following check-boxes:

      • Enable Response Signing
      • Enable Single Logout
      • Enable Attribute Profile
      • Include Attributes in the Response Always
      • Enable Signature Validation in Authentication Requests and Logout Requests

    Tip

    For more information on the advanced configurations refer, Advanced SAML Configurations.

  5. Click Register to save the changes.

Deploy the samples

  1. Download Apache Tomcat 8.x from here and install. Tomcat server installation location will be referred as <TOMCAT_HOME> later in this guide.

    Info

    It is recommended that you use a hostname that is not localhost to avoid browser errors. Modify the /etc/hosts entry in your machine to reflect this. Note that wso2is.local is used in this documentation as an example, but you must modify this when configuring the authenticators or connectors with this sample application.

  2. Download the following samples:

  3. Copy the downloaded saml2-web-app-pickup-dispatch.com.war and saml2-web-app-pickup-manager.com.war files into the <TOMCAT_HOME>/apache-tomcat-<version>/webapps folder. 

  4. Start the Tomcat server.

You are now ready to try out SAML SSO with the Pickup Dispatch and Pickup Manager sample web applications.

Configure CORS

SAML2 POST Binding requires CORS configurations to be set up.

Before configuring the service provider, add the following configurations to the deployment.toml file found in <IS_HOME>/repository/conf/. Adding this configuration allows HTTP POST requests.

``` toml
[cors]
allow_generic_http_requests = true
allow_any_origin = false
allowed_origins = [
    "http://localhost:8080"
]
allow_subdomains = false
supported_methods = [
    "GET",
    "POST",
    "HEAD",
    "OPTIONS"
]
support_any_header = true
supported_headers = []
exposed_headers = []
supports_credentials = true
max_age = 3600
tag_requests = false
```

Try it

Once you have configured all your applications, access them on separate tabs in your browser. When you log out from one of the applications, it should log you out from all the other configured applications.

  1. Access the Pickup Dispatch application, http://localhost.com:8080/saml2-web-app-pickup-dispatch.com/index.jsp.

  2. Log in using admin/admin credentials.

    Pickup Dispatch home page

  3. Access the Pickup Manager application, http://localhost.com:8080/saml2-web-app-pickup-manager.com/index.jsp.

  4. Log in using admin/admin credentials.

    Pickup Manager home page

  5. Now log out of the Pickup Dispatch application.

  6. You can see that you have been logged out of the Pickup Manager application as well.

    Logout message

Related topics

Top